Google Developer Competition Aims at Chrome OS Security

Google is underwriting more than $3 million in prize money to developers who help improve Chrome OS security at the CanSecWest security conference.

Google wants to continue to improve the security of its Chrome operating system for users and is putting up $3.1 million in prize money to be paid out to smart developers who help find serious flaws in Chrome OS's code.
The prizes will be awarded in $110,000 and $150,000 increments to developers competing for the money in the latest Pwnium 3 competition to be held March 7 at the CanSecWest security conference, wrote Chris Evans, a member of the Google Chrome Security Team, in a Jan. 28 post on The Chromium Blog.
"Security is one of the core tenets of Chrome, but no software is perfect, and security bugs slip through even the best development and review processes," wrote Evans. "That's why we've continued to engage with the security research community to help us find and fix vulnerabilities."
The competition will be held alongside Hewlett-Packard's Zero Day Initiative (ZDI) vulnerability-finding event, which along with the annual Pwn2Own competition will be held at CanSecWest from March 6 to 8 in Vancouver, British Columbia, Canada.

Google Chrome is already featured in the Pwn2Own competition, wrote Evans, so Google decided to offer a separate Pwnium 3 prize pool where developers would compete by trying to find serious security flaws in Chrome OS.

The Pwnium 3 rewards for uncovering Chrome OS flaws have specific requirements for payment, wrote Evans.
"The attack must be demonstrated against a base (WiFi) model of the Samsung Series 5 550 Chromebook, running the latest stable version of Chrome OS," he wrote. "Any installed software (including the kernel and drivers, etc.) may be used to attempt the attack.
A Chromium OS developer's guide offers assistance on getting up and running inside a virtual machine for those who lack access to a physical device, Evans noted.
Competitors must follow standard Pwnium rules, wrote Evans. Their entries must include the full exploit of the alleged flaw as well as its "accompanying explanation and breakdown of individual bugs used."
In addition, the entry exploits "should be served from a password-authenticated and HTTPS [HTTP Secure]-supported Google property, such as Google App Engine," wrote Evans. "The bugs used must not be known to us or fixed on trunk. We reserve the right to issue partial rewards for partial, incomplete or unreliable exploits."
The awards for winning entries will be paid out at $110,000 for browser- or system-level compromises in guest mode or as a logged-in user, delivered via a Web page, and $150,000 for compromises made through device persistence, such as a guest to guest with interim reboot, delivered via a Web page, according to the post.
"We believe these larger rewards reflect the additional challenge involved with tackling the security defenses of Chrome OS, compared with traditional operating systems," wrote Evans. "This year we've teamed up with ZDI by working together on the Pwn2Own rules and by underwriting a portion of the winnings for all targets."
The new rules enable a contest that "significantly improves Internet security for everyone," said Evans. "At the same time, the best researchers in the industry get to showcase their skills and take home some generous rewards."
Google often seeks input from developers to help make security and operational improvements to its products.
Earlier in January, Google announced that it will hold hackathon events in San Francisco and New York City to collect developer input on the Google Glass effort. The events are being held Jan. 28 and 29 in San Francisco and Feb. 1 and 2 in New York. The hacking events will focus on the Google Mirror API, which provides the ability to exchange data and interact with the user. The sessions will also include discussions with Google engineers about continuing development on Glass, as well as demos with special guest judges.
The Google Glass project was unveiled at the Google I/O conference last year as an eyewear-mounted computer that will have a wide range of innovative features when it hits the consumer market. Attendees of that conference were given the opportunity to sign up to buy early Explorer Edition versions of Google Glass for $1,500. Google officials said those versions were expected to become available in early 2013, with consumer versions expected at least a year later.
The Google Glass demonstration at Google I/O put the basic components of the devices on display, featuring an Android-powered display, a tiny Webcam, a GPS locator and an Internet connection node built into one side of a pair of glasses. The glasses are lightweight and may or may not have lenses.